Boot Camp: A Beginner’s Guide to Bug Bounties

A few years ago, hacking the United States Government might have landed you with Computer Fraud and Abuse Act charges and a lengthy stint in a federal penitentiary. Fast forward to 2016 – hacking the US would still bring you behind bars, save for a few select systems. Earlier this year, the Pentagon opened its doors to hackers eager to get their hands on government properties.

Hooah!

Not to be outdone, in November 2016, the US Army announced and opened their own Hack the Army challenge to interested hackers. 500 among them will be chosen to start aiming their crosshairs on “operationally significant websites including those mission critical to recruiting” hoping to find flaws that could earn them “thousands of dollars in cash.”

On the same day Hack the Army opened its registrations, the Department of Defense also announced its new Vulnerability Disclosure Policy (VDP), outlining the rules on how security researchers can go about finding holes in .mil websites without fear of the FBI knocking on their doors. Although the initiative does not specify bounties for submitted vulnerabilities, the DoD stated that they “will seek to allow researchers to be publicly recognized whenever possible.”

Next-level exterminators

Crowdsourced vulnerability disclosure programs has surprisingly been around for quite some time. The first official bug bounty program was launched in 1995 by Jarrett Ridlinghafer of Netscape Communications Corporation. Two decades on, Facebook, Google, Apple, and hundreds more bug bounties are available for full-time hunters, tech guys looking to earn some extra cash, or even newbies wanting to gain hands-on pentesting experience. Hackers capable enough can be rewarded up to $30,000 for critical flaws, with some earning as much as $200,000 annually from these programs alone.

With the siren call of financial rewards, a chance for fame, and the opportunity to peek inside the systems of the some of the biggest and most interesting companies in the world, and recently, even the most powerful military on Earth, it begs the question: how does one end up as a bug bounty hunter?

IT security research is an exciting field to be in today – what with the myriad of issues facing the rapidly evolving cyber-physical world.

There are literally thousands of resources out there for those wanting to enter IT security, but as with anything else, it’s important to tread carefully and map out a course of attack since it’s easy to get overwhelmed by the sheer number of books, classes, write-ups, tutorials, and courses available.

Wise up

A recommended reading from eLearnSecurity Founder and CEO Armando Romeo is the Web Application Hacker’s Handbook, saying that it’s a “complete book that brings you from the basics of web app security to the most advanced exploitation scenarios specific to XSS vulnerability.” This book is considered as the web app hacker’s ‘bible,’ and should not be missed.

The OWASP Testing Guide is also a valuable resource focusing on the numerous kinds of techniques and tools used for web app security testing.

As most bug bounties have websites as targets, it is important to delve deep into web application security head (and hands) on. The Web Application Penetration Testing training course allows students to go in depth on web app analysis and information gathering. WAPT starts from web app attacks and lands in network and infrastructure pentesting.

The structured method of teaching in these courses, coupled with the included virtual lab scenarios, WAPT, PTS, and PTP could shave some time off the journey of gaining penetration testing skills.

Practice what they preach

The best way to retain knowledge is to put it to the test. In addition to the Hera Lab scenarios included in the courses mentioned above, there are also other platforms acting as free-for-all war zones for hackers to go wild on. One such simulated environment to test intentionally vulnerable systems is Hack.me.

Hack.me is a free platform allowing users to build, host, share, and try out vulnerable web applications, code samples, and CMSs in an isolated sandbox.

It is also important to have an idea of how the experts go about their work. There are various reports and POCs that can be found online, which could prove as a valuable reference when performing tests. One example is this GitHub repository containing a curated list of public pentesting reports from several security firms and academic groups. Another is Bugcrowd’s collection of bug bounty write-ups submitted by successful hunters.

Maybe don’t even bother bringing the toolkit…

Although tools usually make things a lot more efficient, most programs do not allow the use of automated scanners. And, since scanners are definitely no replacement for a hacker’s creativity and ingenuity, it is unlikely to find new bugs not previously discovered and reported before.

However, according to eLearnSecurity’s Director of IT Security Training Francesco Stillavato, the best tools to have in the armory when hunting is Burp Suite, sqlmap, ZAP, and Firefox coupled with a bunch of pentesting add-ons.

Get down to business

Now is the time to figure out where to find active bounties and create a plan of action. Signing up for sites that host bug bounties on behalf of other companies is a good starting point. Some of the best are:

Bug bounties have specific methodologies and guidelines to follow, and understanding how each step works maximizes the chance of a successful hunt and ensures qualifying for rewards. Bugcrowd’s Jason Haddix gives a great video presentation on how a bounty hunter finds bugs.

Once that’s covered, the only thing left to do is to start hunting! Newbies might want to begin on programs that award minimal amounts or ones that give out rewards focused on building street cred, such as Bugcrowd’s ‘kudos points.’ These are often overlooked by experienced hackers, and are good opportunities to show off skills and get noticed.

Always mingle!

Hackers are a generous bunch, and would not hesitate sharing their knowledge with fellow researchers. Joining security-focused groups such as the eLearnSecurity Community Forums and following other hackers on Twitter would keep one in the loop on the latest news, presentations, meetups, and opportunities.

Bug bounties are a great way into IT security and could open a lot of doors to a promising career. After all, hands-on experience still ranks highest among what top employers are looking for.

Be on your way to your first bug bounty! Get started for free with eLearnSecurity’s penetration testing-centered training courses with these demos: